IETF Logo Mail Archive

Re: [Add] Mozilla's DoH resolver policy

"Ralf Weber" <dns@fl1ger.de> Thu, 11 April 2019 09:37 UTC

Return-Path: <dns@fl1ger.de>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BCB91202B1 for <add@ietfa.amsl.com>; Thu, 11 Apr 2019 02:37:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mMwTRx5DetP4 for <add@ietfa.amsl.com>; Thu, 11 Apr 2019 02:37:21 -0700 (PDT)
Received: from smtp.guxx.net (smtp.guxx.net [IPv6:2a01:4f8:a0:322c::25:42]) by ietfa.amsl.com (Postfix) with ESMTP id 7FDFC120299 for <add@ietf.org>; Thu, 11 Apr 2019 02:37:21 -0700 (PDT)
Received: by nyx.guxx.net (Postfix, from userid 107) id 89D4A5F40689; Thu, 11 Apr 2019 11:37:20 +0200 (CEST)
Received: from [172.19.152.251] (p4FF53610.dip0.t-ipconnect.de [79.245.54.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by nyx.guxx.net (Postfix) with ESMTPSA id 936A95F40043; Thu, 11 Apr 2019 11:37:19 +0200 (CEST)
From: Ralf Weber <dns@fl1ger.de>
To: Valentin Gosu <valentin.gosu@gmail.com>
Cc: add@ietf.org, Martin Thomson <mt@lowentropy.net>
Date: Thu, 11 Apr 2019 11:37:18 +0200
X-Mailer: MailMate (1.12.4r5594)
Message-ID: <ED802588-CD5D-4F80-914D-CA25EE234424@fl1ger.de>
In-Reply-To: <CACQYfiKeh=FgmB9RN=eJ-2tq4jyTg55fep4au9SeGe3U5VkMBQ@mail.gmail.com>
References: <297C80CE-F017-4F4A-80E2-79941E8B9E02@icann.org> <b64761dc-dfab-e4e1-4bfb-82d607efa590@riseup.net> <alpine.LRH.2.21.1904101324530.9940@bofh.nohats.ca> <64aeff58-6d68-4c4f-b991-2b2f62d193a0@www.fastmail.com> <90A5C5C4-373C-4B39-80C2-C115CD23CB4D@fl1ger.de> <CACQYfiJa1i2LVgQDcHi_OknmDDKZiaw=++Y6imn34LcPULP3bQ@mail.gmail.com> <E0CA1520-74D4-4A41-9B44-10946FAB4534@fl1ger.de> <CACQYfiKeh=FgmB9RN=eJ-2tq4jyTg55fep4au9SeGe3U5VkMBQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/JqzJ-5dmeT7uoGNWKGL9bgJG3HA>
Subject: Re: [Add] Mozilla's DoH resolver policy
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Apr 2019 09:37:24 -0000

Moin!

On 11 Apr 2019, at 11:26, Valentin Gosu wrote:
>>> See https://bugzilla.mozilla.org/show_bug.cgi?id=1525854
>> The problem is to decide between SERVFAIL error caused by network events
>> or a SERVFAIL by DNSSEC. That is a problem, but if your network or your
>> resolvers network is bad why would you fallback to an insecure mechanism
>> anyway?
>>
>
> To prevent disruptions to the user's browsing.
Again why do you think it will get better asking unencrypted? It is a nice
way to find out if someone is using DoH though ;-).

In regular DNS your resolving library had n servers and if one did timeout
or SERVFAIL it did ask the others. It didn’t try a different transport.

Maybe this is a better behaviour for DoH also.

So long
-Ralf
—--
Ralf Weber

v2.23.0 | Report a Bug | By Email